Tiny Deathstars of Foulness

I covered managing devices based on policy in One of those policies is “modern authentication”, Azure Passthrough Authentication, or OAuth if you will. To enable it, log into Exchange Online via PowerShell and run the set-OrganizationConfig to set -OAuth2ClientProfileEnabled to True:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

If you’re using Skype, do an override:

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Now check that OAuth was enabled properly:


And viola, you’ve caught up to where WordPress was at with OAuth 8 years ago! Next, check the global ADFS authentication rule:


And you can use Set-AdfsAdditionalAuthenticationRule. Now, you should be able to check the ADFS rules required for a given MFA requirement:

Get-AdfsRelyingPartyTrust –Name "Krypted"

And then if necessary, set them:

Set-AdfsRelyingPartyTrust –TargetRelyingParty Krypted –AdditionalAuthenticationRules ‘c: [Type == "", Value == "S-1-5-21-Insert your Group SID here"] && [Type == "", Value == "false"] => issue(Type = "", Value = "");’

You can then check groups:

GetADGroup -Identity "Krypted Users"

May 9th, 2017

Posted In: Microsoft Exchange Server, Network Infrastructure, Windows Server

Tags: , , , , ,

Leave a Comment